bisecting fixing commit since dafd634415a7f9892a6fcc99c540fe567ab42c92 building syzkaller on b5268b89c2964733654c89f8322fb155d9fa6799 testing commit dafd634415a7f9892a6fcc99c540fe567ab42c92 with gcc (GCC) 8.1.0 kernel signature: db2541cbdb3438fc9763031c377b0026b230acfc run #0: crashed: KASAN: use-after-free Read in kfree_skb run #1: crashed: KASAN: invalid-free in skb_free_head run #2: crashed: KASAN: use-after-free Read in kfree_skb run #3: crashed: KASAN: use-after-free Read in kfree_skb run #4: crashed: KASAN: use-after-free Read in kfree_skb run #5: crashed: KASAN: invalid-free in skb_free_head run #6: crashed: KASAN: invalid-free in skb_free_head run #7: crashed: KASAN: use-after-free Read in kfree_skb run #8: crashed: KASAN: use-after-free Read in kfree_skb run #9: crashed: KASAN: invalid-free in skb_free_head testing current HEAD 672481c2deffb371d8a7dfdc009e44c09864a869 testing commit 672481c2deffb371d8a7dfdc009e44c09864a869 with gcc (GCC) 8.1.0 kernel signature: 1cfd621b2bea13f86a654108549cc565ca974137 all runs: OK # git bisect start 672481c2deffb371d8a7dfdc009e44c09864a869 dafd634415a7f9892a6fcc99c540fe567ab42c92 Bisecting: 1149 revisions left to test after this (roughly 10 steps) [21bb43c0dd8662a9b56d9063f3ae9c4bd885fdf1] fbdev: sbuslib: integer overflow in sbusfb_ioctl_helper() testing commit 21bb43c0dd8662a9b56d9063f3ae9c4bd885fdf1 with gcc (GCC) 8.1.0 kernel signature: 75ada619613d3ccee045b7b8e4e8f3d6bd1dee0a run #0: crashed: KASAN: use-after-free Read in kfree_skb run #1: crashed: KASAN: use-after-free Read in kfree_skb run #2: crashed: KASAN: invalid-free in skb_free_head run #3: crashed: KASAN: use-after-free Read in kfree_skb run #4: crashed: KASAN: use-after-free Read in kfree_skb run #5: crashed: KASAN: use-after-free Read in kfree_skb run #6: crashed: KASAN: use-after-free Read in kfree_skb run #7: crashed: KASAN: invalid-free in skb_free_head run #8: crashed: KASAN: use-after-free Read in kfree_skb run #9: crashed: KASAN: use-after-free Read in kfree_skb # git bisect good 21bb43c0dd8662a9b56d9063f3ae9c4bd885fdf1 Bisecting: 574 revisions left to test after this (roughly 9 steps) [eccc6a2c5354a89f83bab8dfe92094d302c80cb1] firmware: arm_sdei: Fix DT platform device creation testing commit eccc6a2c5354a89f83bab8dfe92094d302c80cb1 with gcc (GCC) 8.1.0 kernel signature: 0cde445238e88c56bedd176935af11eeded1266c all runs: OK # git bisect bad eccc6a2c5354a89f83bab8dfe92094d302c80cb1 Bisecting: 287 revisions left to test after this (roughly 8 steps) [bdb61fa50b708a45f21095f586fdd08921f3cf50] rtl8xxxu: Fix missing break in switch testing commit bdb61fa50b708a45f21095f586fdd08921f3cf50 with gcc (GCC) 8.1.0 kernel signature: 0f95b5baabc499cb222ea2c4b5af9821599a4cce run #0: crashed: KASAN: use-after-free Read in kfree_skb run #1: crashed: KASAN: use-after-free Read in kfree_skb run #2: crashed: KASAN: invalid-free in skb_free_head run #3: crashed: KASAN: use-after-free Read in kfree_skb run #4: crashed: KASAN: use-after-free Read in kfree_skb run #5: crashed: KASAN: use-after-free Read in kfree_skb run #6: crashed: KASAN: use-after-free Read in kfree_skb run #7: crashed: KASAN: use-after-free Read in kfree_skb run #8: crashed: KASAN: invalid-free in skb_free_head run #9: crashed: KASAN: use-after-free Read in kfree_skb # git bisect good bdb61fa50b708a45f21095f586fdd08921f3cf50 Bisecting: 143 revisions left to test after this (roughly 7 steps) [d2eb50e57a5cef9f8ad0bf749291be90ec77428f] ARM: dts: imx27: Fix memory node duplication testing commit d2eb50e57a5cef9f8ad0bf749291be90ec77428f with gcc (GCC) 8.1.0 kernel signature: 0a2631073c3d6816394ace6725d37a1b2ba197b8 all runs: OK # git bisect bad d2eb50e57a5cef9f8ad0bf749291be90ec77428f Bisecting: 71 revisions left to test after this (roughly 6 steps) [3349ed266ae22ea9571343b996ffed7fcf500244] USB: serial: mos7840: fix remote wakeup testing commit 3349ed266ae22ea9571343b996ffed7fcf500244 with gcc (GCC) 8.1.0 kernel signature: a80bf6a8a7e7d26c967c550ea079af5a803329cf all runs: OK # git bisect bad 3349ed266ae22ea9571343b996ffed7fcf500244 Bisecting: 35 revisions left to test after this (roughly 5 steps) [03bf4876a5935ab48e4dbf56ebdffd25e44378a5] Bluetooth: Fix invalid-free in bcsp_close() testing commit 03bf4876a5935ab48e4dbf56ebdffd25e44378a5 with gcc (GCC) 8.1.0 kernel signature: 0954f79a68c9e4f40904b90efce1d67991584b80 all runs: OK # git bisect bad 03bf4876a5935ab48e4dbf56ebdffd25e44378a5 Bisecting: 17 revisions left to test after this (roughly 4 steps) [1d6a0dd6aa535e3c5d9d840e3d0cff55cefabaa8] ACPICA: Use %d for signed int print formatting instead of %u testing commit 1d6a0dd6aa535e3c5d9d840e3d0cff55cefabaa8 with gcc (GCC) 8.1.0 kernel signature: 9c89a791ce12f3325260ee1957483e5166de9ece run #0: crashed: KASAN: use-after-free Read in kfree_skb run #1: crashed: KASAN: use-after-free Read in kfree_skb run #2: crashed: KASAN: use-after-free Read in kfree_skb run #3: crashed: KASAN: use-after-free Read in kfree_skb run #4: crashed: KASAN: use-after-free Read in kfree_skb run #5: crashed: KASAN: use-after-free Read in kfree_skb run #6: crashed: KASAN: use-after-free Read in kfree_skb run #7: crashed: KASAN: invalid-free in skb_free_head run #8: crashed: KASAN: use-after-free Read in kfree_skb run #9: crashed: KASAN: use-after-free Read in kfree_skb # git bisect good 1d6a0dd6aa535e3c5d9d840e3d0cff55cefabaa8 Bisecting: 8 revisions left to test after this (roughly 3 steps) [c0418c4a61aa52bf46c234ccc6a067ae0ddbd3ce] pinctrl: zynq: Use define directive for PIN_CONFIG_IO_STANDARD testing commit c0418c4a61aa52bf46c234ccc6a067ae0ddbd3ce with gcc (GCC) 8.1.0 kernel signature: 91f9032116547e68492b5762179f3612e164d731 all runs: crashed: KASAN: use-after-free Read in kfree_skb # git bisect good c0418c4a61aa52bf46c234ccc6a067ae0ddbd3ce Bisecting: 4 revisions left to test after this (roughly 2 steps) [896f7398152baf02aec8696cd8141d76946b0eb2] i2c: uniphier-f: fix timeout error after reading 8 bytes testing commit 896f7398152baf02aec8696cd8141d76946b0eb2 with gcc (GCC) 8.1.0 kernel signature: 4a945925bb1a181f3fe78888d119d3d7ad034908 run #0: crashed: KASAN: use-after-free Read in kfree_skb run #1: crashed: KASAN: use-after-free Read in kfree_skb run #2: crashed: KASAN: use-after-free Read in kfree_skb run #3: crashed: KASAN: use-after-free Read in kfree_skb run #4: crashed: KASAN: invalid-free in skb_free_head run #5: crashed: KASAN: use-after-free Read in kfree_skb run #6: crashed: KASAN: use-after-free Read in kfree_skb run #7: crashed: KASAN: use-after-free Read in kfree_skb run #8: crashed: KASAN: invalid-free in skb_free_head run #9: crashed: KASAN: use-after-free Read in kfree_skb # git bisect good 896f7398152baf02aec8696cd8141d76946b0eb2 Bisecting: 2 revisions left to test after this (roughly 1 step) [2b3541ffdd05198b329d21920a0f606009a1058b] ipv6: Fix handling of LLA with VRF and sockets bound to VRF testing commit 2b3541ffdd05198b329d21920a0f606009a1058b with gcc (GCC) 8.1.0 kernel signature: fc94d5329aacef374ee0366793a3b8b56fc1f75a run #0: crashed: KASAN: use-after-free Read in kfree_skb run #1: crashed: KASAN: use-after-free Read in kfree_skb run #2: crashed: KASAN: invalid-free in skb_free_head run #3: crashed: KASAN: use-after-free Read in kfree_skb run #4: crashed: KASAN: use-after-free Read in kfree_skb run #5: crashed: KASAN: invalid-free in skb_free_head run #6: crashed: KASAN: invalid-free in skb_free_head run #7: crashed: KASAN: invalid-free in skb_free_head run #8: crashed: KASAN: use-after-free Read in kfree_skb run #9: crashed: KASAN: use-after-free Read in kfree_skb # git bisect good 2b3541ffdd05198b329d21920a0f606009a1058b Bisecting: 0 revisions left to test after this (roughly 1 step) [006360ec33d9387610f641c633aef0e523753b8d] mm/page_io.c: do not free shared swap slots testing commit 006360ec33d9387610f641c633aef0e523753b8d with gcc (GCC) 8.1.0 kernel signature: d2661cc9910a50fcae2f2bcc08442ebb1db6c10f run #0: crashed: KASAN: use-after-free Read in kfree_skb run #1: crashed: KASAN: use-after-free Read in kfree_skb run #2: crashed: KASAN: invalid-free in skb_free_head run #3: crashed: KASAN: use-after-free Read in kfree_skb run #4: crashed: KASAN: use-after-free Read in kfree_skb run #5: crashed: KASAN: use-after-free Read in kfree_skb run #6: crashed: KASAN: use-after-free Read in kfree_skb run #7: crashed: KASAN: use-after-free Read in kfree_skb run #8: crashed: KASAN: use-after-free Read in kfree_skb run #9: crashed: KASAN: use-after-free Read in kfree_skb # git bisect good 006360ec33d9387610f641c633aef0e523753b8d 03bf4876a5935ab48e4dbf56ebdffd25e44378a5 is the first bad commit commit 03bf4876a5935ab48e4dbf56ebdffd25e44378a5 Author: Tomas Bortoli Date: Fri Nov 1 21:42:44 2019 +0100 Bluetooth: Fix invalid-free in bcsp_close() commit cf94da6f502d8caecabd56b194541c873c8a7a3c upstream. Syzbot reported an invalid-free that I introduced fixing a memleak. bcsp_recv() also frees bcsp->rx_skb but never nullifies its value. Nullify bcsp->rx_skb every time it is freed. Signed-off-by: Tomas Bortoli Reported-by: syzbot+a0d209a4676664613e76@syzkaller.appspotmail.com Signed-off-by: Marcel Holtmann Cc: Alexander Potapenko Signed-off-by: Greg Kroah-Hartman drivers/bluetooth/hci_bcsp.c | 3 +++ 1 file changed, 3 insertions(+) culprit signature: 0954f79a68c9e4f40904b90efce1d67991584b80 parent signature: d2661cc9910a50fcae2f2bcc08442ebb1db6c10f revisions tested: 13, total time: 3h19m36.31665098s (build: 1h53m45.092679199s, test: 1h24m10.905734146s) first good commit: 03bf4876a5935ab48e4dbf56ebdffd25e44378a5 Bluetooth: Fix invalid-free in bcsp_close() cc: ["gregkh@linuxfoundation.org" "marcel@holtmann.org" "tomasbortoli@gmail.com"]